Note: B.ROOT-SERVERS.NET's addresses will be changed November 27, 2023.
9.18.20 (2023-11-15)
6280. [bug] Fix missing newlines in the output of "rndc nta -dump".
[GL !8454]
6277. [bug] Take into account local authoritative zones when
falling back to serve-stale. [GL #4355]
6275. [bug] Fix assertion failure when using lock-file configuration
option together -X argument to named. [GL #4386]
6274. [bug] The 'lock-file' file was being removed when it
shouldn't have been making it ineffective if named was
started 3 or more times. [GL #4387]
6271. [bug] Fix a shutdown race in dns__catz_update_cb(). [GL #4381]
6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
2801:1b8:10::b. [GL #4101]
6267. [func] The timeouts for resending zone refresh queries over UDP
were lowered to enable named to more quickly determine
that a primary is down. [GL #4260]
6265. [bug] Don't schedule resign operations on the raw version
of an inline-signing zone. [GL #4350]
6261. [bug] Fix a possible assertion failure on an error path in
resolver.c:fctx_query(), when using an uninitialized
link. [GL #4331]
6254. [cleanup] Add semantic patch to do an explicit cast from char
to unsigned char in ctype.h class of functions.
[GL #4327]
6252. [test] Python system tests have to be executed by invoking
pytest directly. Executing them with the legacy test
runner is no longer supported. [GL #4250]
6250. [bug] The wrong covered value was being set by
dns_ncache_current for RRSIG records in the returned
rdataset structure. This resulted in TYPE0 being
reported as the covered value of the RRSIG when dumping
the cache contents. [GL #4314]
Note: B.ROOT-SERVERS.NET's addresses will be changed November 27, 2023.
9.16.45 (2023-11-15)
6269. [maint] B.ROOT-SERVERS.NET addresses are now 170.247.170.2 and
2801:1b8:10::b. [GL #4101]
6254. [cleanup] Add semantic patch to do an explicit cast from char
to unsigned char in ctype.h class of functions.
[GL #4327]
6250. [bug] The wrong covered value was being set by
dns_ncache_current for RRSIG records in the returned
rdataset structure. This resulted in TYPE0 being
reported as the covered value of the RRSIG when dumping
the cache contents. [GL #4314]
- Remove inet6 option; simply depend on dual-stack ucspi-tcp6 (or
v4-only original DJB ucspi-tcp, if that's already installed)
- Apply upstream patch to support https URLs under e.g. sslserver
- Add patch comments
Switch to a maintained fork.
Changes:
This is the first version of Syncthing-GTK maintained by a new team
at https://github.com/syncthing-gtk.
Changes:
Port to Python3. Python2 is not supported anymore.
Miscelaneous fixes about icons
Miscelaneous fixes about app indicators on KDE, Gnome.
Translation updates
1.22.6
Highlighted bugfixes:
Security fixes for the MXF demuxer and H.265 video parser
Fix latency regression in H.264 hardware decoder base class
androidmedia: fix HEVC codec profile registration and fix coded_data handling
decodebin3: fix switching from a raw stream to an encoded stream
gst-inspect: prettier and more correct signal and action signals printing
rtmp2: Allow NULL flash version, omitting the field, for better RTMP server compatibility
rtspsrc: better compatibility with buggy RTSP servers that don't set a clock-rate
rtpjitterbuffer: fix integer overflow that led to more packets being declared lost than have been lost
v4l2: fix video encoding regression on RPi and fix support for left and top padding
waylandsink: Crop surfaces to their display width height
cerbero: Recognise Manjaro; add Rust support for MSVC ARM64; cmake detection fixes
various bug fixes, memory leak fixes, and other stability and reliability improvements
1.22.5
Highlighted bugfixes:
Security fixes for the RealMedia demuxer
vaapi decoders, postproc: Disable DMAbuf from caps negotiation to fix garbled video in some cases
decodebin3, playbin3, parsebin fixes, especially for stream reconfiguration
hlsdemux2: fix early seeking; don't pass referer when updating playlists; webvtt fixes
gtk: Fix critical caused by pointer movement when stream is getting ready
qt6: Set sampler filtering method, fixes bad quality with qml6glsink and gstqt6d3d11
v4l2src: handle resolution change when buffers are copied
videoflip: update orientation tag in auto mode
video timecode: Add support for framerates lower than 1fps and accept 119.88 (120/1.001) fps
webrtcsink: fixes for x264enc and NVIDIA encoders
cerbero: Pull ninja from system if possible, avoid spurious bootstrap of cmake
packages: Recipe updates for ffmpeg, libsoup, orc
various bug fixes, memory leak fixes, and other stability and reliability improvements
yt-dlp 2023.11.14
Important changes
The release channels have been adjusted!
- master builds are made after each push, containing the latest fixes (but also possibly bugs). This was previously the nightly channel.
- nightly builds are now made once a day, if there were any changes.
Security: [CVE-2023-46121] Patch Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
- Disallow smuggling of arbitrary http_headers; extractors now only use specific headers
Release 2.6.8 - 3 OCT 2023
Features Added
Introduced optional argument routing instance for fs.cp() API
Intoduced optional argument member_id for installation of pkg on specific member id of EX-VC
Bugs fixed
Changed the VlanTable field name to vlan-name and BfdSessionTable field name to client-bame #423
Fixed the port details in StartShell to use the port from Device object instead of default Port 22 #573
Fixed the sw.install to use Windows file path for package copy #1206
Fixed the sw.install to install the vc_master after the other vc_members gets installed for EX-3400 where unlink is set by default #1247
Removed Unused Dependency: Netaddr #1257
Fixed "object": version_info(re_version) emits ValueError: invalid literal for int() with base 10: '17-EVO' for EVO version X50.17-EVO#1264
- Bugfixes.
- s6-tcpserver has been unified! no ipv4 and ipv6 separation anymore.
* The only programs in the superserver chain are now s6-tcpserver,
s6-tcpserver-socketbinder, and s6-tcpserverd.
* s6-tcpserver-access still exists, should now run under s6-tcpserverd,
still invoked once per connection. Doesn't spam the log anymore when
invoked with no ruleset.
* Options -4 and -6 removed from s6-tcpserver and s6-tlsserver.
Protocol detection happens when the cmdline address is scanned.
* Option -e removed from s6-tlsserver. It should now always invoke
s6-tcpserver-access when needed (and only then).
- Major performance improvements. s6-tcpserverd does not fork on systems
that support posix_spawn. Also, its lookups are now logarithmic
instead of linear (which only matters on *heavy* loads).
- Bugfixes.
- New s6dns_hosts functions.
- New command: s6-dns-hosts-compile
- s6-dnsip* and s6-dnsname now support a -h option, to make use of
/etc/hosts data.
Changes in version 0.4.8.9 - 2023-11-09
This is another security release fixing a high severity bug affecting onion
services which is tracked by TROVE-2023-006. We are also releasing a guard
major bugfix as well. If you are an onion service operator, we strongly
recommend to update as soon as possible.
o Major bugfixes (guard usage):
- When Tor excluded a guard due to temporary circuit restrictions,
it considered *additional* primary guards for potential usage by
that circuit. This could result in more than the specified number
of guards (currently 2) being used, long-term, by the tor client.
This could happen when a Guard was also selected as an Exit node,
but it was exacerbated by the Conflux guard restrictions. Both
instances have been fixed. Fixes bug 40876; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (onion service, TROVE-2023-006):
- Fix a possible hard assert on a NULL pointer when recording a
failed rendezvous circuit on the service side for the MetricsPort.
Fixes bug 40883; bugfix on 0.4.8.1-alpha
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 09, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/09.
Upstream NEWS:
Security Fixes:
* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after
it has been free()d in some circumstances, causing some free()d memory to be sent to the peer.
All configurations using TLS (e.g. not using --secret) are affected by this issue.
(found while tracking down CVE-2023-46849 / Github #400, #417)
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration
in some circumstances, leading to a division by zero when --fragment is used. On platforms where
division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417).
User visible changes:
* DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between
a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed because the original author
did not agree to relicensing the code with the new linking exception added. This was a somewhat
obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work
without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed (this is
due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6 option,
with no backend support implemented yet on any platform, and it turns out that
no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management client
(safeguard against protocol-violating server implementations)
New features:
* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the algorithms used
are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows
Pkgsrc changes:
* none, other than checksums.
Upstream changes:
This release fixes a number of bugs, and adds some smaller features.
The redis-logical-db option and cachedb-no-store option can be used
for cachedb configuration. The disable-edns-do option can be used for
working around broken network parts. For DNS64 there is fallback to
plain AAAA when no A record exists.
There is a bug fix that when the UDP interface keeps returning that
sending is not possible, unbound does not loop endlessly and waits
for the condition to go away.
Resource records of type A and AAAA that are an inappropriate length
are removed from responses. This hardens against bad content.
Features
- Fix#850: [FR] Ability to use specific database in Redis, with new
redis-logical-db configuration option.
- Merge #944: Disable EDNS DO.
Disable the EDNS DO flag in upstream requests. This can be helpful
for devices that cannot handle DNSSEC information. But it should not
be enabled otherwise, because that would stop DNSSEC validation. The
DNSSEC validation would not work for Unbound itself, and also not
for downstream users. Default is no. The option
is disable-edns-do: no
- Expose the script filename in the Python module environment 'mod_env'
instead of the config_file structure which includes the linked list
of scripts in a multi Python module setup; fixes#79.
- Expose the configured listening and outgoing interfaces, if any, as
a list of strings in the Python 'config_file' class instead of the
current Swig object proxy; fixes#79.
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
AAAA when no A record exists for synthesis, and minor DNS64 code
refactoring for better readability.
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
used to stop cachedb from writing messages to the backend storage.
It reads messages when data is available from the backend. The
default is no.
Bug Fixes
- Fix for version generation race condition that ignored changes.
- Fix#942: 1.18.0 libunbound DNS regression when built without
OpenSSL.
- Fix for WKS call to getservbyname that creates allocation on exit
in unit test by testing numbers first and testing from the services
list later.
- Fix autoconf 2.69 warnings in configure.
- Fix#927: unbound 1.18.0 make test error. Fix make test without SHA1.
- Merge #931: Prevent warnings from -Wmissing-prototypes.
- Fix to scrub resource records of type A and AAAA that have an
inappropriate size. They are removed from responses.
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
- Fix to add EDE text when RRs have been removed due to length.
- Fix to set ede match in unit test for rr length removal.
- Fix to print EDE text in readable form in output logs.
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian
Obser.
- Fix authority zone answers for obscured DNAMEs and delegations.
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
- Fix to remove two c99 notations.
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
- Fix misplaced comment.
- Merge #881: Generalise the proxy protocol code.
- Fix#946: Forwarder returns servfail on upstream response noerror no
data.
- Fix edns subnet so that queries with a source prefix of zero cause
the recursor send no edns subnet option to the upstream.
- Fix that printout of EDNS options shows the EDNS cookie option by
name.
- Fix infinite loop when reading multiple lines of input on a broken
remote control socket. Addesses #947 and #948.
- Fix#949: "could not create control compt".
- Fix that cachedb does not warn when serve-expired is disabled about
use of serve-expired-reply-ttl and serve-expired-client-timeout.
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
- Better fix for infinite loop when reading multiple lines of input on
a broken remote control socket, by treating a zero byte line the
same as transmission end. Addesses #947 and #948.
- For multi Python module setups, clean previously parsed module
functions in __main__'s dictionary, if any, so that only current
module functions are registered.
- Fix#954: Inconsistent RPZ handling for A record returned along with
CNAME.
- Fixes for the DNS64 patches.
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
- Merge #955 from buevsan: fix ipset wrong behavior.
- Update testdata/ipset.tdir test for ipset fix.
- Fix to print detailed errors when an SSL IO routine fails via
SSL_get_error.
- Clearer configure text for missing protobuf-c development libraries.
- autoconf.
- Merge #930 from Stuart Henderson: add void to
log_ident_revert_to_default declaration.
- Fix#941: dnscrypt doesn't work after upgrade to 1.18 with
suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
- Fix SSL compile failure for other missing definitions in
log_crypto_err_io_code_arg.
- Fix compilation without openssl, remove unused function warning.
- Mention flex and bison in README.md when building from repository
source.
0.24.0
* Added `BaseResponse.calls` to access calls data of a separate mocked request.
* Added `real_adapter_send` parameter to `RequestsMock` that will allow users to set
through which function they would like to send real requests
* Added support for re.Pattern based header matching.
* Added support for gzipped response bodies to `json_params_matcher`.
* Fix `Content-Type` headers issue when the header was duplicated.
* Moved types-pyyaml dependency to `tests_requires`
* Removed Python3.7 support
Changes in version 0.4.8.8 - 2023-11-03
We are releasing today a fix for a high security issue, TROVE-2023-004, that
is affecting relays. Also a few minor bugfixes detailed below. Please upgrade
as soon as posssible.
o Major bugfixes (TROVE-2023-004, relay):
- Mitigate an issue when Tor compiled with OpenSSL can crash during
handshake with a remote relay. Fixes bug 40874; bugfix
on 0.2.7.2-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 03, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/03.
o Minor bugfixes (directory authority):
- Look at the network parameter "maxunmeasuredbw" with the correct
spelling. Fixes bug 40869; bugfix on 0.4.6.1-alpha.
o Minor bugfixes (vanguards addon support):
- Count the conflux linked cell as valid when it is successfully
processed. This will quiet a spurious warn in the vanguards addon.
Fixes bug 40878; bugfix on 0.4.8.1-alpha.
Changes in version 0.4.8.7 - 2023-09-25
This version fixes a single major bug in the Conflux subsystem on the client
side. See below for more information. The upcoming Tor Browser 13 stable will
pick this up.
o Major bugfixes (conflux):
- Fix an issue that prevented us from pre-building more conflux sets
after existing sets had been used. Fixes bug 40862; bugfix
on 0.4.8.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 25, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/25.
Changes in version 0.4.8.6 - 2023-09-18
This version contains an important fix for onion service regarding congestion
control and its reliability. Apart from that, uneeded BUG warnings have been
suppressed especially about a compression bomb seen on relays. We strongly
recommend, in particular onion service operators, to upgrade as soon as
possible to this latest stable.
o Major bugfixes (onion service):
- Fix a reliability issue where services were expiring their
introduction points every consensus update. This caused
connectivity issues for clients caching the old descriptor and
intro points. Bug reported and fixed by gitlab user
@hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha.
o Minor features (debugging, compression):
- Log the input and output buffer sizes when we detect a potential
compression bomb. Diagnostic for ticket 40739.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 18, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/18.
o Minor bugfix (defensive programming):
- Disable multiple BUG warnings of a missing relay identity key when
starting an instance of Tor compiled without relay support. Fixes
bug 40848; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (bridge authority):
- When reporting a pseudo-networkstatus as a bridge authority, or
answering "ns/purpose/*" controller requests, include accurate
published-on dates from our list of router descriptors. Fixes bug
40855; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression, zstd):
- Use less frightening language and lower the log-level of our run-
time ABI compatibility check message in our Zstd compression
subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha.
Changes in version 0.4.8.5 - 2023-08-30
Quick second release after the first stable few days ago fixing minor
annoying bugfixes creating log BUG stacktrace. We also fix BSD compilation
failures and PoW unit test.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 30, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/30.
o Minor bugfix (NetBSD, compilation):
- Fix compilation issue on NetBSD by avoiding an unnecessary
dependency on "huge" page mappings in Equi-X. Fixes bug 40843;
bugfix on 0.4.8.1-alpha.
o Minor bugfix (NetBSD, testing):
- Fix test failures in "crypto/hashx" and "slow/crypto/equix" on
x86_64 and aarch64 NetBSD hosts, by adding support for
PROT_MPROTECT() flags. Fixes bug 40844; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (conflux):
- Demote a relay-side warn about too many legs to ProtocolWarn, as
there are conditions that it can briefly happen during set
construction. Also add additional set logging details for all
error cases. Fixes bug 40841; bugfix on 0.4.8.1-alpha.
- Prevent non-fatal assert stacktrace caused by using conflux sets
during their teardown process. Fixes bug 40842; bugfix
on 0.4.8.1-alpha.
3.17.0
Added
New method to determine the actual zone name for a given FQDN. Historically it was an extraction of the second-level domain given well-known TLDs (eg., domain.net for www.domain.net) using tldextract, and usage of --delegated option to enforce a specific zone name that is useful for third-level domains hosted on a specific zone (eg., sub-zone sub.domain.net delegated from zone domain.net). It is now possible to use the --resolve-zone-name flag on Lexicon client to trigger an actual resolution of the zone name from a given FQDN using live DNS servers by leveraging dnspython utilities. Most of the time this makes --delegated useless, since Lexicon will be able to guess the correct zone name.
1.6.6 (stable)
- NetworkManager: Drop manual creation of lo contexts
- ServiceProxy: Add new API for creating actions
- Introspection: Be more resilient against weird formatting
- Acl: Improve introspectability
- ServiceProxy: Add result iterator for Action
- Plug various smaller leaks
3.66.1 (2023-11-03)
- macOS: Fixed display of local filenames containing non-ASCII characters if LC_CTYPE wasn't set
3.66.0 (2023-10-23)
- Fixed a sorting issue in comparative search
3.66.0-rc1 (2023-10-11)
- Fixed crash removing items from the list of file extensions treated as text files
- Fixed potental crash if shutting down HTTP client.
- Fixed HTTP timeouts
0.45.0 (2023-10-11)
+ fz::hash_accumulator now also works with hmac_sha256
+ Added is_digest and digest_size to fz::hash_acumulator
+ MSW: Added function to delete registry values
- Fixed a crash and a stall in the HTTP client